11.15.2005

Sony to replace rootkit infected CDs

Arstechnica reports that Sony-BMG will be offering an exchange program for CDs with their XCP DRM software installed. It's a step in the right direction, but it remains to be seen if it will help their public image.

The widespread anti-Sony outcry (along with the class-action lawsuits) has forced the entertainment conglomerate into a move they should have made at the beginning of the crisis—finally pulling the infested discs from store shelves. Those unfortunate enough to have purchased music from Sony and gotten an unexpected rootkit as part of the bargain will be able to exchange their discs for one without the malware.

The root of the problem is a serious design flaw in Sony’s web-based uninstaller. When you first fill out Sony’s form to request a copy of the uninstaller, the request form downloads and installs a program – an ActiveX control created by the DRM vendor, First4Internet – called CodeSupport. CodeSupport remains on your system after you leave Sony’s site, and it is marked as safe for scripting, so any web page can ask CodeSupport to do things. One thing CodeSupport can be told to do is download and install code from an Internet site. Unfortunately, CodeSupport doesn’t verify that the downloaded code actually came from Sony or First4Internet. This means any web page can make CodeSupport download and install code from any URL without asking the user’s permission.